The Safety Case Becomes the Release Gate
A safety case is not a system card, a benchmark score, or a promise. It is an argument about why a frontier AI system should be allowed to cross a deployment boundary.
The strict version is not a brochure: it is a dated, reviewable claim map and decision packet that can expire, fail, or force a narrower release when the evidence does not support the proposed boundary.
From Score to Case
The most important frontier AI governance artifact may not be the model card, the policy statement, the red-team report, or the benchmark table. It may be the safety case: a structured argument that a model's severe risks have been identified, measured, reduced, and bounded well enough for a particular use.
That shift matters because it changes the release question. A benchmark asks how a system performed on a test. A system card describes capabilities, limitations, training choices, and evaluations. An audit may examine whether a process met a defined standard. A safety case asks a harder institutional question: given the evidence, mitigations, uncertainty, and deployment context, is this system safe enough to cross this boundary?
The phrase comes from safety-critical engineering, where aircraft, nuclear, medical, defense, and industrial systems cannot be governed only by after-the-fact apology. The form is useful because it forces the developer to connect claims to evidence. It also exposes where the evidence is thin. A release decision becomes less like a marketing launch and more like a file that can be inspected, contested, updated, and remembered.
Frontier AI needs that discipline because the object being released is unstable. A model can gain new capability from scale, scaffolding, tools, fine-tuning, retrieval, agent loops, user workflows, and post-deployment updates. The same base model may be harmless in a classroom assistant, dangerous in a cyber agent, and ambiguous inside an internal research automation pipeline. The release gate cannot be a single global adjective such as "safe" or "unsafe." It has to name the boundary being crossed.
For this essay, a safety case means a structured claim-argument-evidence file for a specific AI system in a specific training, deployment, or access context. It states the risk claim, the threat model, the evidence, the mitigations, the residual uncertainty, the decision authority, and the conditions under which the decision must be reopened. Without those parts, the safety case is only a safety story.
The release gate is the decision boundary that depends on that file. It may be a continue-training gate, a large internal-use gate, a trusted-tester gate, an API gate, a consumer-product gate, an open-weight publication gate, or an agent-tooling gate. Treating all of these as one generic "release" is how weak arguments travel beyond their evidence. The safety case should say exactly which door it opens.
A safety case should also identify what would defeat it. If there is no documented evidence threshold, no burden of proof, no reviewer who can reject the argument, and no expiry condition, the artifact is a confidence narrative rather than a release gate.
What It Is Not
A safety case is not a system card. A system card is public documentation about a model or product: capabilities, limitations, evaluations, safeguards, and sometimes deployment conditions. It can summarize a safety case, but it is usually too compressed, curated, and public-facing to be the full argument.
A safety case is not a red-team report. Red teaming produces evidence, often negative evidence: what broke, what almost broke, and what failed to break under specified conditions. The safety case has to say what that evidence proves, what it does not prove, which mitigations followed, and why the remaining risk is acceptable.
A safety case is not an audit certificate. An audit can inspect whether a process, control, or standard was followed. A safety case is the substantive argument that a particular release boundary can be crossed. The two should connect, but neither substitutes for the other.
A safety case is not a benchmark score. Scores can support a claim only when the benchmark maps to the threat model, the model was elicited under realistic conditions, and the deployment wrapper is the same one being released. A benchmark becomes safety evidence only after the argument explains why the score matters.
Why This Form Appeared Now
As of June 25, 2026, the safety-case turn sits inside a broader movement toward frontier AI safety frameworks. At the Seoul AI Summit in 2024, major AI companies agreed to publish safety frameworks focused on severe risks. The UK and Republic of Korea governments listed signatories including Amazon, Anthropic, Cohere, Google, G42, IBM, Inflection AI, Meta, Microsoft, Mistral AI, Naver, OpenAI, Samsung Electronics, Technology Innovation Institute, xAI, and Zhipu.ai, with Magic, Minimax, 01.ai, and NVIDIA later added. The commitments emphasized red-teaming, information sharing, model-weight security, vulnerability reporting, public reporting of capabilities and limitations, and severe-risk frameworks.
Those commitments did not create binding law. They created a governance genre. Developers began publishing responsible scaling policies, preparedness frameworks, frontier safety frameworks, and risk-management documents that define capability thresholds and deployment controls. METR's 2025 comparison of frontier AI safety policies identified common elements across twelve published examples, including capability thresholds, model-weight security, deployment mitigations, halt conditions, evaluations, accountability mechanisms, and update processes.
Google DeepMind made the safety-case vocabulary explicit in its Frontier Safety Framework updates. Its February 2025 update described a deployment mitigation process in which the company develops safeguards, builds a safety case showing how severe risks associated with a model's critical capability levels have been reduced to an acceptable level, and submits that case to a corporate governance body before general availability. Its September 2025 third iteration, updated April 17, 2026, expanded the safety-case review idea to some large-scale internal deployments, not only external launches, when advanced machine-learning research and development capabilities create risk.
OpenAI's updated Preparedness Framework uses adjacent machinery. It distinguishes capabilities reports from safeguards reports, with a Safety Advisory Group reviewing both, assessing residual risk, and making recommendations to leadership about deployment. Anthropic's Responsible Scaling Policy, last updated May 26, 2026, and its Frontier Safety Roadmap use different terminology, but they organize the same institutional problem: as capabilities rise, safeguards, security controls, risk reports, red-teaming, monitoring, external review, and noncompliance reporting have to scale too.
Law is also moving toward the same grammar. Article 55 of the EU AI Act requires providers of general-purpose AI models with systemic risk to evaluate models using state-of-the-art protocols and tools, including documented adversarial testing, to identify and mitigate systemic risks; it also requires systemic-risk assessment and mitigation, serious-incident reporting, and cybersecurity protection. A safety case is not identical to those legal duties, but it is the kind of structured record those duties make legible.
The European Commission's April 28, 2026 guidance makes that compliance stack more concrete. It says GPAI obligations entered application on August 2, 2025, enforcement powers begin on August 2, 2026, and providers of systemic-risk models must notify the AI Office. The General-Purpose AI Code of Practice, published July 10, 2025, adds a Safety and Security chapter for systemic-risk GPAI providers, including safety and security frameworks and model reports. The code is not a public safety-case law by name, but it pushes providers toward a record of risk identification, mitigation, reporting, and review.
In the United States, California's SB 53 turned part of this grammar into state law for large frontier developers. The chaptered text requires a published frontier AI framework, threshold and mitigation processes for catastrophic risk, review of assessments before deployment or extensive internal use, cybersecurity practices for unreleased model weights, critical-safety-incident reporting, and whistleblower protections. It is narrower than whole-of-society AI governance: it focuses on frontier models and catastrophic-risk transparency. That narrowness matters, but it still makes release-gate evidence a statutory object.
Agentic deployment adds another pressure. NIST's AI Agent Standards Initiative, created in February 2026 and updated in April, frames agent standards around secure identity, authorization, interoperability, protocol security, and agent-specific evaluations. The April 2026 allied guidance Careful adoption of agentic AI services is not frontier-release law, but it makes a practical point for safety cases: tool-using agents expand attack surface and should not receive broad or unrestricted access, especially to sensitive data or critical systems. A release gate that ignores credentials, tools, memory, delegation, and human interruption is testing a smaller object than the one being deployed.
The UK AI Security Institute has gone further by making safety cases a research object. It describes work on safety case sketches, collaborations with frontier labs and safety researchers, and the need for publishable structures that outside parties can inspect and build on. That is the key sign that safety cases are moving from internal paperwork toward a possible public governance interface.
What a Case Has to Prove
A real safety case for frontier AI has to do more than recite evaluations. It has to make a defensible argument across the full path from model capability to social harm.
First, it must define the threat model. Is the concern chemical or biological assistance, offensive cyber capability, autonomous replication, AI research acceleration, manipulation, model-weight theft, high-stakes sabotage, or loss of operator control? A case that merely says "we tested for misuse" has not named the risk.
Second, it must explain capability elicitation. A weak prompt, small evaluation budget, or artificial sandbox can understate capability. If the release decision depends on whether a model can meaningfully help a capable adversary, the evaluation must ask what the model can do with realistic scaffolding, tools, expert prompting, retries, and access patterns. This connects directly to the problem in The Benchmark Becomes the Curriculum: a score is only evidence if the test actually touches the deployment world.
Third, it must describe safeguards at the right layer. Some risks require refusal behavior. Others require access controls, monitoring, model-weight security, rate limits, user vetting, tool permissions, logging, staged rollout, incident response, or restriction to trusted users. The safety case should say why the chosen controls match the pathway to harm.
For agentic deployments, the case has to prove an authority envelope as well as model behavior: what tools the system can call, what credentials it holds, what data it can read or write, when a human must interrupt or confirm, and how logs support rollback and incident review. A harmless answer model can become a high-risk actor when given standing access to workflows.
Fourth, it must account for residual risk. "We added mitigations" is not the same as "risk is acceptable." The hard question is what remains after mitigations, who is exposed to it, who can detect it, who can stop it, and who has authority to revise or reverse the deployment.
Fifth, it must include update conditions. Frontier AI systems change. Attackers adapt. Users discover affordances. Fine-tunes and tools alter behavior. A safety case that cannot be reopened after incidents, jailbreaks, new evaluations, or model updates is only a launch memo.
Sixth, it must preserve dissent and failed arguments. A serious case should not contain only the path to approval. It should show countercases, unresolved evaluator disagreements, failed mitigations, downgraded assumptions, and the reasons decision-makers accepted or rejected them. Otherwise the document proves only that an institution can write a coherent story after choosing a destination.
Seventh, it must define the monitoring handoff. NIST's 2026 report on deployed AI monitoring says pre-deployment evaluations remain controlled tests and that real-world monitoring methods are still nascent. That should make safety cases more modest, not less useful. A credible case should say which signals will be watched after release, which incident categories reopen the case, and how the deployment can be narrowed or withdrawn if production evidence contradicts the pre-release argument.
The Release-Gate Packet
The practical unit is not a PDF called a safety case. It is the release-gate packet: the bundle of records that lets a reviewer reconstruct the object being released, the argument for release, the evidence behind the argument, the authority that accepted residual risk, and the conditions that would reverse the decision.
A credible packet should contain at least eight parts.
- System boundary: model build, weights or hosted endpoint, post-training recipe, product wrapper, router, system prompt, retrieval layer, memory setting, tool surface, access tier, and deployment owner. This belongs in the AI system inventory, not only in a launch memo.
- Claim map: the top-level safety claim, subclaims, assumptions, dependencies, accepted uncertainty, and the specific boundary being opened.
- Evidence index: capability evaluations, red-team evidence, safeguard tests, model-weight security review, external evaluator input, incident history, and post-mitigation retests, linked to the claims they support.
- Countercase log: failed mitigations, evaluator disagreement, inconclusive severe-risk signals, under-elicitation concerns, and the strongest argument for delaying or narrowing release.
- Mitigation closure: each serious finding, owner, change made, retest result, residual risk, and whether the release candidate is the same system that was retested.
- Authority record: reviewer roles, conflicts of interest, decision meeting, dissent handling, board or leadership escalation, and who had authority to say no.
- Monitoring and rollback plan: production signals, incident categories, drift triggers, model-change rules, user or customer notification conditions, and withdrawal or access-narrowing path.
- Disclosure split: what is public, what is regulator-only, what is shared with trusted evaluators or high-impact deployers, what is security-redacted, and where the unredacted record is retained.
This packet connects the safety case to adjacent governance machinery: audit trails, change management, post-market monitoring, model-weight security, and agentic model validation. If the system can act through tools, the packet must also include the runtime authority envelope described in the agent governance plane and the tool boundary described in the tool server as trust boundary.
The packet should also distinguish reversible and irreversible release paths. A hosted API, trusted-tester deployment, internal agent workflow, and open-weight release have different rollback physics. A safety case that treats them as equivalent is already losing control of the boundary it claims to govern.
Private Gates, Public Consequences
The current safety-case regime is mostly private. A company defines the framework, runs many of the evaluations, judges its own residual risk, and decides whether a launch or internal deployment should proceed. Even when outside experts are involved, the public often sees a polished summary rather than the full argument, evidence, dissent, and decision trail.
That private structure is understandable. Frontier models involve security-sensitive details, unreleased capabilities, proprietary systems, and genuine misuse concerns. Publishing every dangerous-capability test or mitigation weakness could help adversaries. But secrecy also creates a legitimacy problem. If the public consequence is broad and the evidence is hidden, society is asked to trust the institution that benefits from release.
The emerging public counterweight is government evaluation access. In May 2026, NIST's Center for AI Standards and Innovation announced agreements with Google DeepMind, Microsoft, and xAI for pre-deployment evaluations and targeted research on frontier AI capabilities, building on earlier partnerships. That is meaningful public measurement capacity. It is still not the same as a comprehensive licensing regime, public right of access, or automatic power to block release. A safety case can absorb institute evidence, but institute participation should not become a stamp unless the authority and scope are clear.
This is the same tension described in The System Card Becomes a Release Ritual. Disclosure can discipline a launch, but it can also become ceremonial. A safety case improves on the system card only if it changes the decision process. It has to create a place where evidence can stop a release, narrow a deployment, trigger stronger controls, or force post-deployment monitoring.
It also connects to The AI Audit Becomes the Compliance Interface, the measurement state of AI safety institutes, and the AI register as public memory. The safety case is the object an auditor, regulator, safety institute, board committee, or court might eventually inspect. It is not accountability by itself. It is the file accountability needs.
Failure Modes
The first failure mode is argument theater. The case has headings, diagrams, and risk matrices, but the conclusion was fixed before the evidence was assembled. The document just rationalizes a launch.
The second is threshold gaming. Capability thresholds become targets to stay just below, define narrowly, or test in ways that avoid triggering stronger safeguards. If a framework is tied to launch permission, there is pressure to make the gate easier to pass.
The third is residual-risk laundering. A company acknowledges uncertainty, says risk remains, and then treats the acknowledgment itself as proof of responsibility. Naming uncertainty is necessary. It is not mitigation.
The fourth is internal-deployment blindness. Powerful systems may be risky before public release if they are used inside AI labs for coding, cybersecurity, data work, agent orchestration, or AI research acceleration. Google DeepMind's expansion of safety-case review to some large-scale internal deployments points at the right problem: the release boundary is not always public availability.
The fifth is security opacity. Model-weight security, insider-threat controls, and access restrictions are central to many safety frameworks, but they are also difficult for outsiders to verify. A safety case may depend on controls the public cannot inspect.
The sixth is no public memory. If safety cases remain confidential and post-deployment updates are sparse, society cannot learn which arguments held up, which failed, and which evidence was missing. The result is institutional amnesia around systems that are supposed to be governed by evidence.
The seventh is scope substitution. A case written for API access is used to reassure consumer release; a case written for external launch is used to bless internal autonomous research workflows; a case written for a model without tools is reused after tools, memory, browsing, or enterprise connectors are attached.
The eighth is whistleblower dependence. If the only way outsiders learn that a safety case was ignored is through a leaked memo or employee resignation, the release gate has already failed as a governance mechanism. A healthy regime needs protected internal challenge channels before dissent becomes crisis. That connects directly to the whistleblower channel as safety valve.
The ninth is compliance substitution. A provider points to a code of practice, framework, transparency report, board review, or regulator submission and treats the existence of that artifact as equivalent to a strong safety argument. Compliance can supply evidence. It does not automatically prove that the evidence supports the decision.
The tenth is packet fragmentation. The safety argument sits in one document, the red-team findings in another, the model-weight security review in a third, the product-wrapper changes in a ticket system, and the launch approval in meeting minutes. Each artifact may be defensible in isolation while the release gate has no single inspectable chain from claim to evidence to decision.
The Institutional Standard
A serious frontier AI safety-case regime should meet seventeen tests.
First, the case should be boundary-specific. It should state whether it concerns training continuation, internal deployment, API access, consumer release, open-weight publication, tool-enabled agents, trusted-user access, or integration into sensitive domains.
Second, the threat model should be explicit. CBRN, cyber, persuasion, autonomy, AI R&D acceleration, model exfiltration, and sabotage are different risks. They require different evidence.
Third, the evidence should include attempted elicitation, not only ordinary use. Severe-risk governance depends on what capable users, adversaries, and scaffolds can draw out of the system.
Fourth, safeguards should be mapped to pathways. Refusals, classifiers, access controls, trusted-user programs, monitoring, rate limits, tool restrictions, incident response, and weight security should appear because they block a named route to harm.
Fifth, decision authority should be separated where possible. Product leadership, safety teams, board committees, external evaluators, and public agencies should not collapse into a single launch incentive.
Sixth, publishable summaries should preserve the argument. Some details will remain confidential, but public reporting should still say what risk was considered, what evidence mattered, what mitigations were chosen, what uncertainty remains, and what would trigger reconsideration.
Seventh, post-deployment review should be part of the case. A safety case should not end at launch. It should define monitoring, incident reporting, re-evaluation, model-change control, and withdrawal conditions.
Eighth, the case should have a registry trail. The organization should record which version of the model, policy layer, tool configuration, access tier, and deployment setting the case covered. Later deployers should be able to tell whether they are still inside the approved envelope.
Ninth, protected challenge should be built in. Safety staff, external evaluators, domain experts, and affected deployers need channels to preserve dissent, report noncompliance, and trigger escalation without retaliation.
Tenth, public summaries should separate primary evidence from governance claims. "We ran a red team," "the board reviewed the case," "an external expert was consulted," and "the residual risk is acceptable" are different kinds of claims. The summary should not merge them into one reassurance paragraph.
Eleventh, independent access should be specified. If a regulator, safety institute, external evaluator, or auditor reviewed part of the case, the public summary should say what they could inspect, what they could not inspect, whether they saw the same model and safeguards being deployed, and whether their findings could change the decision.
Twelfth, legal compliance should be mapped but not inflated. EU Article 55 duties, the GPAI Code of Practice, California frontier-AI framework duties, NIST risk-management guidance, and company policies can all support a case. The case should show which legal or voluntary obligation each piece of evidence satisfies and where the safety argument goes beyond compliance.
Thirteenth, the release candidate should be the tested object. The case should distinguish base model, post-trained model, product wrapper, router, system prompt, policy layer, retrieval system, tool surface, monitoring stack, and access tier. A material change to any of those should trigger retest or a fresh argument.
Fourteenth, no-go and rollback conditions should be explicit. The file should say what evidence would delay release, narrow access, require stronger safeguards, notify a regulator or customer, or withdraw the system after deployment.
Fifteenth, agentic authority should have its own envelope. If the deployment can act through tools, credentials, memory, browser control, code execution, payments, messages, or other agents, the safety case should prove least privilege, scoped delegation, human interruption points, monitoring, rollback, and incident reconstruction for that authority.
Sixteenth, redaction should be mapped. Public summaries may need to hide exploit details, security controls, proprietary training information, or private user data, but the summary should say what class of evidence was withheld and which authorized reviewer can inspect the unredacted record.
Seventeenth, downstream handoff should be named. If enterprise customers, government agencies, researchers, plugin developers, model hubs, or open-weight users inherit part of the risk, the release case should say what evidence, warnings, restrictions, and incident channels travel with the system.
What This Changes
A safety case is a ritual only if it cannot say no.
That is the central test. Frontier AI developers can publish frameworks, run red teams, convene advisory groups, and describe severe risks. The institutional question is whether the process has enough force to slow, narrow, redesign, or stop deployment when the evidence does not support release.
The deeper issue is model-mediated knowledge. The public rarely encounters the frontier model as code or weights. It encounters the model through interfaces, system cards, press releases, benchmarks, demos, policy commitments, and eventually the outputs that reshape work and belief. The safety case sits behind those surfaces as a hidden argument about permission. It says which futures the institution believes it is entitled to try.
That is why the form matters. A safety case can discipline belief formation by requiring a chain from claim to evidence to decision. It can also manufacture legitimacy if the chain is invisible, incomplete, or captive to launch incentives. The difference is not rhetorical. It is institutional design.
AI governance often arrives too late, after the model is deployed and the public is left to absorb the update. The safety-case model moves governance closer to the release gate. It asks developers to make the argument before the world becomes the test environment.
The standard should be concrete. What capability was found? What harm pathway was considered? What safeguards block it? Who checked the evidence? Who could object? What remains uncertain? What happens if the model behaves differently at scale? What evidence would force retreat?
If those questions cannot be answered, the safety case is not a gate. It is a decorative arch over an open road.
Source Discipline
This article treats developer frameworks as primary evidence of declared company process, not as independent proof that a model is safe. OpenAI, Anthropic, and Google DeepMind documents say how those organizations intend to classify capabilities, review safeguards, and make deployment decisions. They do not by themselves verify that the controls worked in a particular deployment.
Government and regulator sources play a different role. The Seoul commitments show voluntary industry promises coordinated by governments. EU Article 55 shows a legal duty for systemic-risk general-purpose models to evaluate, adversarially test, mitigate, report incidents, and secure systems. The GPAI Code of Practice and Commission guidelines show an implementation path, not proof that any provider has satisfied its duties in a particular deployment. NIST's AI RMF shows a voluntary risk-management framework, while NIST monitoring, AI-agent standards, and CAISI materials show developing public measurement capacity. AISI's safety-case work is research and convening, not a binding certification regime.
California SB 53 is state legislation with narrower scope than this essay's governance standard. It addresses large frontier developers, frontier AI frameworks, catastrophic-risk assessments, critical safety incidents, internal-use reporting, and whistleblower protections. It should not be cited as if it covers every AI release, every social harm, or every deployer.
Agentic-AI security guidance is operational guidance, not a public release license. It is useful because it names authority, privilege, monitoring, and attack-surface problems that a safety case must cover when a system can act through tools. It does not prove that any deployed agent has those controls.
Operational artifacts need the same caution. A release-gate packet, system inventory, red-team evidence file, registry entry, model report, or rollback plan is useful only if it is versioned, connected to the tested release candidate, and available to someone with authority to contest the decision. The existence of a record is not the same as the strength of the argument inside it.
METR's comparison is a secondary analysis of published policies. It is useful because it maps common elements across many developers, but it should not be read as an endorsement of any one framework or as evidence that the policies were followed. For this June 25, 2026 review, current-source claims were checked against official or primary sources where possible, and a safety case earns weight only when the source trail preserves the claim, evidence, method, reviewer, decision, dissent, and post-deployment update record.
Related Pages
- AI Safety Cases
- Frontier AI Safety Frameworks
- AI Safety Institutes
- AI Evaluations
- AI Audits and Third-Party Assurance
- AI Audit Trails
- AI System Inventory
- AI Change Management
- AI Post-Market Monitoring
- Capability Elicitation
- Model Weight Security
- AI Incident Reporting
- Model Cards and System Cards
- AI Agent Observability
- AI Agent Sandboxing
- The Red Team Becomes the Release Theater
- The System Card Becomes a Release Ritual
- The Measurement State Comes for AI
- The Agentic Model Becomes the Validation Problem
- The Open-Weight Model Becomes the Release Boundary
- The Governance Document Becomes a Revalidation Problem
- The Agent Runtime Becomes the Governance Plane
- The Agent Log Becomes the Receipt
- The Agent Sandbox Becomes the Airlock
- The Whistleblower Channel Becomes the Safety Valve
Sources
- AI Security Institute, Safety cases at AISI, reviewed June 25, 2026.
- AI Security Institute, How can safety cases be used to help with frontier AI safety?, February 10, 2025, reviewed June 25, 2026.
- Marie Davidsen Buhl, Gaurav Sett, Leonie Koessler, Jonas Schuett, and Markus Anderljung, Safety cases for frontier AI, arXiv, October 2024, reviewed June 25, 2026.
- UK Government, Frontier AI Safety Commitments, AI Seoul Summit 2024, updated February 7, 2025, reviewed June 25, 2026.
- Google DeepMind, Updating the Frontier Safety Framework, February 4, 2025, reviewed June 25, 2026.
- Google DeepMind, Google DeepMind strengthens the Frontier Safety Framework, September 22, 2025, updated April 17, 2026, reviewed June 25, 2026.
- OpenAI, Our updated Preparedness Framework, April 15, 2025, reviewed June 25, 2026.
- OpenAI, Preparedness Framework, version 2, April 15, 2025, reviewed June 25, 2026.
- Anthropic, Responsible Scaling Policy Updates, last updated May 26, 2026, reviewed June 25, 2026.
- Anthropic, Frontier Safety Roadmap, reviewed June 25, 2026.
- METR, Common Elements of Frontier AI Safety Policies, March 2025, reviewed June 25, 2026.
- NIST, AI Risk Management Framework, including the Generative AI Profile and 2026 revision notice, reviewed June 25, 2026.
- NIST, Challenges to the Monitoring of Deployed AI Systems, NIST AI 800-4, March 2026, reviewed June 25, 2026.
- NIST, AI Agent Standards Initiative, created February 17, 2026, updated April 20, 2026, reviewed June 25, 2026.
- NIST GovDelivery bulletin, CAISI Signs Agreements Regarding Frontier AI National Security Testing With Google DeepMind, Microsoft and xAI, May 5, 2026, reviewed June 25, 2026.
- European Commission AI Act Service Desk, Article 55: Obligations of providers of general-purpose AI models with systemic risk, Regulation (EU) 2024/1689, reviewed June 25, 2026.
- European Commission, The General-Purpose AI Code of Practice, published July 10, 2025, reviewed June 25, 2026.
- European Commission, Guidelines for providers of general-purpose AI models, last updated April 28, 2026, reviewed June 25, 2026.
- California Legislative Information, SB-53 Artificial intelligence models: large developers, chaptered September 29, 2025, reviewed June 25, 2026.
- ASD's Australian Cyber Security Centre, CISA, NSA, Canadian Centre for Cyber Security, NCSC-NZ, and NCSC-UK, Careful adoption of agentic AI services, April 2026, reviewed June 25, 2026.